1

-=

Managesieve

So that our mail customers can easily change their sieve rules directly from Roundcube, we activate the associated plugin managesieve

Here, too, we first copy the default file from the RPM package.

# cp /usr/share/roundcubemail/plugins/managesieve/config.inc.php.dist /usr/share/roundcubemail/plugins/managesieve/config.inc.php -a

Then we edit this file and enter the required sieve configuration details there. Here, too, the changes are marked with Django and date in the example below .

# vim /usr/share/roundcubemail/plugins/managesieve/config.inc.php

/usr/share/roundcubemail/plugins/managesieve/config.inc.php

<?php   // managesieve server port. When empty the port will be determined automatically// using getservbyname() function, with 4190 as a fallback.// Django : 2014-09-10// default: $config['managesieve_port'] = null;$config['managesieve_port'] = 4190;   // managesieve server address, default is localhost.// Replacement variables supported in host name:// %h - user's IMAP hostname// %n - http hostname ($_SERVER['SERVER_NAME'])// %d - domain (http hostname without the first part)// For example %n = mail.domain.tld, %d = domain.tld// Django : 2014-09-10// default: $config['managesieve_host'] = 'localhost';$config['managesieve_host'] = 'imap.dmz.nausch.org';   // authentication method. Can be CRAM-MD5, DIGEST-MD5, PLAIN, LOGIN, EXTERNAL// or none. Optional, defaults to best method supported by server.$config['managesieve_auth_type'] = null;   // Optional managesieve authentication identifier to be used as authorization proxy.// Authenticate as a different user but act on behalf of the logged in user.// Works with PLAIN and DIGEST-MD5 auth.$config['managesieve_auth_cid'] = null;   // Optional managesieve authentication password to be used for imap_auth_cid$config['managesieve_auth_pw'] = null;   // use or not TLS for managesieve server connection// Note: tls:// prefix in managesieve_host is also supported// Django : 2014-09-10// default: $config['managesieve_usetls'] = false;$config['managesieve_usetls'] = true;   // default contents of filters script (eg. default spam filter)$config['managesieve_default'] = '/etc/dovecot/sieve/global';   // The name of the script which will be used when there's no user script$config['managesieve_script_name'] = 'managesieve';   // Sieve RFC says that we should use UTF-8 endcoding for mailbox names,// but some implementations does not covert UTF-8 to modified UTF-7.// Defaults to UTF7-IMAP$config['managesieve_mbox_encoding'] = 'UTF-8';   // I need this because my dovecot (with listescape plugin) uses// ':' delimiter, but creates folders with dot delimiter$config['managesieve_replace_delimiter'] = '';   // disabled sieve extensions (body, copy, date, editheader, encoded-character,// envelope, environment, ereject, fileinto, ihave, imap4flags, index,// mailbox, mboxmetadata, regex, reject, relational, servermetadata,// spamtest, spamtestplus, subaddress, vacation, variables, virustest, etc.// Note: not all extensions are implemented$config['managesieve_disabled_extensions'] = array();   // Enables debugging of conversation with sieve server. Logs it into <log_dir>/sieve$config['managesieve_debug'] = false;   // Enables features described in http://wiki.kolab.org/KEP:14$config['managesieve_kolab_master'] = false;   // Script name extension used for scripts including. Dovecot uses '.sieve',// Cyrus uses '.siv'. Doesn't matter if you have managesieve_kolab_master disabled.$config['managesieve_filename_extension'] = '.sieve';   // List of reserved script names (without extension).// Scripts listed here will be not presented to the user.$config['managesieve_filename_exceptions'] = array();   // List of domains limiting destination emails in redirect action// If not empty, user will need to select domain from a list$config['managesieve_domains'] = array();   // Enables separate management interface for vacation responses (out-of-office)// 0 - no separate section (default),// 1 - add Vacation section,// 2 - add Vacation section, but hide Filters section$config['managesieve_vacation'] = 0;   // Supported methods of notify extension. Default: 'mailto'$config['managesieve_notify_methods'] = array('mailto');

Using the Settings / Filters menu item , we can now change the password from the webmailer.

ACL

We now configure the ACL plugin for the management of shared folders. First we copy the configuration file from the RPM.

# cp /usr/share/roundcubemail/plugins/acl/config.inc.php.dist /usr/share/roundcubemail/plugins/acl/config.inc.php -a

Then we will now edit this new file.

# vim /usr/share/roundcubemail/plugins/acl/config.inc.php

/usr/share/roundcubemail/plugins/acl/config.inc.php

<?php   // Default look of access rights table// In advanced mode all access rights are displayed separately// In simple mode access rights are grouped into four groups: read, write, delete, full $config['acl_advanced_mode'] = false;   // LDAP addressbook that would be searched for user names autocomplete.// That should be an array refering to the $config['ldap_public'] array key// or complete addressbook configuration array.$config['acl_users_source'] = '';   // The LDAP attribute which will be used as ACL user identifier$config['acl_users_field'] = 'mail';   // The LDAP search filter will be &'d with search queries$config['acl_users_filter'] = '';   // Include the following 'special' access control subjects in the ACL dialog;// Defaults to array('anyone', 'anonymous') (not when set to an empty array)// Example: array('anyone') to exclude 'anonymous'.// Set to an empty array to exclude all special aci subjects.$config['acl_specials'] = array('anyone', 'anonymous');   ?>

Via the menu item Settings / Folders / Folder Properties / Sharing we can now manage the access rights for others to individual folders from the webmailer.

-----------------------

Set up HTTP to HTTPS redirection

For those users who forget to type “https” instead of “http” let us also set up an automatic redirection so that they will be forwarded to the secure URL. Edit the /etc/apache2/sites-available/000-default file and insert

Redirect permanent / https://YOUR.MAIL.SERVER/

anywhere within the VirtualHost section. Of course you have to replace YOUR.MAIL.SERVER with the fully-qualified domain name of your mail server. This configuration is enabled by default so you just need to reload the web server to make your change work:

service apache2 reload

Plugins

Further down in /etc/roundcube/config.inc.php there is a list of plugins that Roundcube loads. The “archive” and “zipdownload” plugins are proably already enabled. Add the “managesieve” and “password” plugins so that the setting looks like this:

$config['plugins'] = array(   'archive',   'zipdownload',   'managesieve',   'password',   );

Next an optional setting. The default session lifetime in Roundcube is 10 minutes. That means if a user is not using the webmail interface for more than 10 minutes they will be logged out. I found that annoying and increased that timeout to one hour. To do that at the end of the config file add:

$config['session_lifetime'] = 60;

And if you would like to change the default logo of Roundcube that can be done by setting:

$config['skin_logo'] = './ispmail-logo.png';

ISPmail logo for Roundcube

You just need to copy that image file by that name to /var/lib/roundcube/ispmail-logo.png. The logo should be 177×49 pixels large. Feel free to take this nifty ISPmail logo I crafted. 🙂

If the logo appears to be broken then make sure that the permissions are correct:

chmod a+r /var/lib/roundcube/ispmail-logo.png

When you reload the login form in the browser it will then look like this instead:

Configuring the managesieve plugin

The “managesieve” password will allow your users to manage automatic rules to manage their email. These rules are stored on the server and will be run automatically. You need to configure this plugin though. A default configuration can be found at /usr/share/roundcube/plugins/managesieve/config.inc.php.dist on your system. Copy it to the location where Roundcube will look for it:

cp /usr/share/roundcube/plugins/managesieve/config.inc.php.dist /etc/roundcube/plugins/managesieve/config.inc.php

No further changes are required.

Configuring the password plugin

We urge our users to change their passwords frequently. So we need to give them a chance to actually do that. Copy the default configuration file /usr/share/roundcube/plugins/password/config.inc.php to the right place:

cp /usr/share/roundcube/plugins/password/config.inc.php.dist /etc/roundcube/plugins/password/config.inc.php

The configuration file at /etc/roundcube/plugins/password/config.inc.php requires a couple of changes though. We need to tell it how our database works and what to do when a user wants to change their password. The first setting deals with the minimal length of the password. I recommend to enforce at least 10 characters. In fact the complexity of the password is not that important. Consider XKCD as food for thought on password security. So set:

$config['password_minimum_length'] = 10;

We should allow the user to use the old password as the new password. It may sound stupid but as we are upgrading the password scheme from the weak unsalted MD5 to the better SHA2 algorithm we should allow that:

$config['password_force_save'] = true;

Next the password plugin needs to know how to access your database:

$config['password_db_dsn'] = 'mysql://mailuser:ChangeMe@127.0.0.1/mailserver';

Replace “ChangeMe” by the randomly generated password you created earlier for the “mailuser” MySQL user.

Now tell the plugin how to actually write the new password hash into the database:

$config['password_query'] = "UPDATE virtual_users SET password=CONCAT('{SHA256-CRYPT}', ENCRYPT (%p, CONCAT('$5$', SUBSTRING(SHA(RAND()), -16)))) WHERE email=%u;";

---